Редагувати

Поділитися через


Microsoft Sentinel solution for Microsoft Power Platform: security content reference

This article details the security content available for the Microsoft Sentinel solution for Power Platform. For more information about this solution, see Microsoft Sentinel solution for Microsoft Power Platform overview.

Important

  • The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
  • The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
  • Provide feedback for this solution by completing this survey: https://aka.ms/SentinelPowerPlatformSolutionSurvey.

Built-in analytics rules

The following analytic rules are included when you install the solution for Power Platform. The data sources listed include the data connector name and table in Log Analytics. To avoid missing data in the inventory sources, we recommend that you don't change the default lookback period defined in the analytic rule templates.

Rule name Description Source action Tactics
PowerApps - App activity from unauthorized geo Identifies Power Apps activity from countries in a predefined list of unauthorized countries.

Get the list of ISO 3166-1 alpha-2 country codes from ISO Online Browsing Platform (OBP).

This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.
Run an activity in Power App from a country that's on the unauthorized country code list.

Data sources:
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
- Microsoft Entra ID
SigninLogs
Initial access
PowerApps - Multiple apps deleted Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments. Delete many Power Apps from the Power Platform admin center.

Data sources:
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
Impact
PowerApps - Data destruction following publishing of a new app Identifies a chain of events when a new app is created or published and is followed within 1 hour by mass update or delete events in Dataverse. If the app publisher is on the list of users in the TerminatedEmployees watchlist template, the incident severity is raised. Delete a number of records in Power Apps within 1 hour of the Power App being created or published.

Data sources:
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
- Microsoft Dataverse (Preview)
DataverseActivity
Impact
PowerApps - Multiple users accessing a malicious link after launching new app Identifies a chain of events when a new Power App is created and is followed by these events:
- Multiple users launch the app within the detection window.
- Multiple users open the same malicious URL.

This detection cross correlates Power Apps execution logs with malicious URL click events from either of the following sources:
- The Microsoft 365 Defender data connector or
- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.

Get the distinct number of users who launch or click the malicious link by creating a query.
Multiple users launch a new PowerApp and open a known malicious URL from the app.

Data sources:
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
- Threat Intelligence
ThreatIntelligenceIndicator
- Microsoft Defender XDR
UrlClickEvents
Initial access
PowerAutomate - Departing employee flow activity Identifies instances where an employee who has been notified or is already terminated, and is on the Terminated Employees watchlist, creates or modifies a Power Automate flow. User defined in the Terminated Employees watchlist creates or updates a Power Automate flow.

Data sources:
Microsoft Power Automate (Preview)
PowerAutomateActivity
- Power Platform Inventory (using Azure Functions)
InventoryFlows
InventoryEnvironments
Terminated employees watchlist
Exfiltration, impact
PowerPlatform - Connector added to a sensitive environment Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments. Add a new Power Platform connector in a sensitive Power Platform environment.

Data sources:
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
InventoryAppsConnections
Execution, Exfiltration
PowerPlatform - DLP policy updated or removed Identifies changes to the data loss prevention policy, specifically policies that are updated or removed. Update or remove a Power Platform data loss prevention policy in Power Platform environment.

Data sources:
Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
Defense Evasion
Dataverse - Guest user exfiltration following Power Platform defense impairment Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.

Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.
As a recently created guest user, trigger Dataverse exfiltration alerts after the Power Platform security controls are disabled.

Data sources:
- PowerPlatformAdmin
PowerPlatformAdminActivity

- Dataverse
DataverseActivity
- Power Platform Inventory (using Azure Functions)
InventoryEnvironments
Defense Evasion
Dataverse - Mass export of records to Excel Identifies users exporting a large amount of records from Dynamics 365 to Excel. The amount of records exported is significantly more than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold. Export many records from Dataverse to Excel.

Data sources:
- Dataverse
DataverseActivity
- Power Platform Inventory (using Azure Functions)
InventoryEnvironments
Exfiltration
Dataverse - User bulk retrieval outside normal activity Identifies users retrieving significantly more records from Dataverse than they have in the past 2 weeks. User retrieves many records from Dataverse

Data sources:
- Dataverse
DataverseActivity
- Power Platform Inventory (using Azure Functions)
InventoryEnvironments
Exfiltration
Power Apps - Bulk sharing of Power Apps to newly created guest users Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query. Share an app with multiple external users.

Data sources:
- Microsoft Power Platform Admin Activity (Preview)
PowerPlatformAdminActivity
- Power Platform Inventory (using Azure Functions)
InventoryApps
InventoryEnvironments
- Microsoft Entra ID
AuditLogs
Resource Development,
Initial Access,
Lateral Movement
Power Automate - Unusual bulk deletion of flow resources Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days. Bulk deletion of Power Automate flows.

Data sources:
- PowerAutomate
PowerAutomateActivity
Impact,
Defense Evasion
Power Platform - Possibly compromised user accesses Power Platform services Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate, and Power Platform Admin Center. User with risk signals accesses Power Platform portals.

Data sources:
- Microsoft Entra ID
SigninLogs
Initial Access, Lateral Movement

Built-in parsers

The solution includes parsers that are used to access data from the raw data tables. Parsers ensure that the correct data is returned with a consistent schema. We recommend that you use the parsers instead of directly querying the inventory tables and watchlists. The Power Platform inventory related parsers return data from the last 7 days.

Parser Data returned Table queried
InventoryApps Power Apps Inventory PowerApps_CL
InventoryAppsConnections Power Apps connections Inventoryconnections PowerAppsConnections_CL
InventoryEnvironments Power Platform environments Inventory PowerPlatrformEnvironments_CL
InventoryFlows Power Automate flows Inventory PowerAutomateFlows_CL
MSBizAppsTerminatedEmployees Terminated employees watchlist (from watchlist template) TerminatedEmployees
GetPowerAppsEventDetails Returns parsed event details for Power Apps / Connections PowerPlatformAdminActivity

For more information about analytic rules, see Detect threats out-of-the-box.